能力值:
( LV3,RANK:20 )
|
-
-
2 楼
vista的已逆出代码
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <shtypes.h>
#include <shlobj.h>
class BROWINTERFACE : public IUnknown
{
public:
virtual void __stdcall navigate(LPITEMIDLIST, DWORD dwShow, DWORD dwUnknown, DWORD dwUnknown1, HANDLE, DWORD dwUnknown2) = 0;
};
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPTSTR lpCmdLine, int nCmdShow)
{
if (SUCCEEDED(CoInitialize(NULL)))
{
GUID nInterface, nClass;
memcpy(&nInterface, "\x74\x84\x42\x78\x3B\x47\x60\x46\x90\x68\xF2\xAA\x7F\x6C\xB2\x27", sizeof(nInterface));
memcpy(&nClass, "\xA7\x04\x63\xA8\xCA\x17\x95\x45\x99\xAB\x52\x30\x43\xA9\xC4\xAC", sizeof(nClass));
BROWINTERFACE* p = NULL;
if (SUCCEEDED(CoCreateInstance(nInterface, NULL, 1, nClass, (void**)&p)))
{
LPITEMIDLIST lpIDList = ILCreateFromPath("http://www.google.com");
if (lpIDList != NULL)
{
p->navigate(lpIDList, 10, 0, 0, NULL, 0);
ILFree(lpIDList);
}
p->Release();
}
CoUninitialize();
}
}
win7的还不通用,囧!
|
能力值:
( LV3,RANK:20 )
|
-
-
3 楼
win7的如下:
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <shtypes.h>
#include <shlobj.h>
class BROWINTERFACE : public IUnknown
{
public:
virtual void __stdcall navigate(const GUID& nUnknown, LPITEMIDLIST, DWORD dwUnknown, DWORD dwUnknown1, DWORD dwUnknown2, DWORD dwShow) = 0;
};
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPTSTR lpCmdLine, int nCmdShow)
{
if (SUCCEEDED(CoInitialize(NULL)))
{
GUID nInterface, nClass, nUnknown;
memcpy(&nInterface, "\xCE\x9C\x84\x1F\x46\x25\x9F\x4B\xB0\x3E\x40\x04\x78\x1B\xDC\x40", sizeof(nInterface));
memcpy(&nClass, "\x60\x46\x8E\x57\x03\xE4\x8F\x4E\x9F\xD4\x6D\x55\x9F\x7A\x0E\xDC", sizeof(nClass));
memcpy(&nUnknown, "\xB7\xF2\xDF\x75\x36\x69\x06\x4C\xA8\xBB\x67\x6A\x7B\x00\xB2\x4B", sizeof(nUnknown));
BROWINTERFACE* p = NULL;
if (SUCCEEDED(CoCreateInstance(nInterface, NULL, 1, nClass, (void**)&p)))
{
LPITEMIDLIST lpIDList = ILCreateFromPath("http://www.google.com");
if (lpIDList != NULL)
{
p->navigate(nUnknown, lpIDList, 0, 0, 0, 10);
ILFree(lpIDList);
}
p->Release();
}
CoUninitialize();
}
}
貌似没有通用的方法,
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
cmd /c start "" bbs.pediy.com
或者读注册表获得默认浏览器的路径,然后加参数运行之.
另,空格可以用%20之类的代替试试.
不知道是否各个版本都支持。
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
请教LZ是怎么跟踪explorer进程的,采用的什么工具,IDA还是OD,还是别的什么???
|
能力值:
( LV3,RANK:20 )
|
-
-
6 楼
OD跟踪。
过段时间,我准备再继续跟踪XP的BROWSEUI.DLL.#106函数,看看有什么技巧没有。
|
能力值:
( LV3,RANK:20 )
|
-
-
7 楼
无力了,跟踪XP的BROWERUI.#106,除了一大堆检测代码外,关键代码就是往ShellWindow发消息,精简后如下:
#include <stdio.h>
#include <stdlib.h>
#define _WIN32_WINNT 0x0500
#include <windows.h>
#include <shtypes.h>
#include <shlobj.h>
#include <shlwapi.h>
int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPTSTR lpCmdLine, int nCmdShow)
{
HMODULE hMod = LoadLibrary("shlwapi.dll");
if (hMod != NULL)
{
HANDLE (__stdcall* lpSHAllocShared)(LPCVOID lpData, DWORD dwSize, DWORD dwProcessId) = \
(HANDLE (__stdcall *)(LPCVOID , DWORD, DWORD))GetProcAddress(hMod, (LPCSTR)7);
BOOL (__stdcall* lpSHFreeShared)(HANDLE hData, DWORD dwProcessId) = \
(BOOL (__stdcall*)(HANDLE, DWORD))GetProcAddress(hMod, (LPCSTR)10);
LPVOID (__stdcall* lpSHLockShared)(HANDLE hData, DWORD dwProcessId) = \
(LPVOID (__stdcall*)(HANDLE, DWORD))GetProcAddress(hMod, (LPCSTR)8);
BOOL (__stdcall* lpSHUnlockShared)(LPVOID lpData) = \
(BOOL (__stdcall*)(LPVOID))GetProcAddress(hMod, (LPCSTR)9);
HWND hWnd = GetShellWindow();
DWORD dwPid = 0;
GetWindowThreadProcessId(hWnd, &dwPid);
if (AllowSetForegroundWindow(dwPid))
{
LPCWSTR lpUrl = L"http://www.google.com";
const DWORD dwUrl = (lstrlenW(lpUrl) + 1) * sizeof(WCHAR);
const DWORD dwSize = dwUrl + 0x44;
HANDLE hl = lpSHAllocShared(NULL, dwSize, dwPid);
if (hl != NULL)
{
DWORD* p = (DWORD*)lpSHLockShared(hl, dwPid);
p[0] = dwSize;
p[1] = 0x02000000;
p[2] = 10;
p[0x10] = 0x44;
memcpy(p + 0x11, lpUrl, dwUrl);
lpSHUnlockShared(p);
if (!PostMessage(hWnd, 0x40B, 0, (LPARAM)hl))
lpSHFreeShared(hl, dwPid);
}
}
FreeLibrary(hMod);
}
return 0;
}
而且这段代码在vista下一点反应都没有。再跟踪桌面explorer就费事了,再说吧……
|
能力值:
( LV3,RANK:20 )
|
-
-
8 楼
这个会覆盖已经存在的浏览器页面。
********************************
跟踪过Explorer代码,最终是调用browseui.#127,但是如果自己伪造参数调用,虽然可以用默认浏览器打开,但是浏览器窗口竟然是属于自己的进程的?!而不是新创建一个浏览器进程或者附属于已存在浏览器进程。
********************************
跟踪Vista的,结果在RPCRT4.DLL的空间跑来跑去,貌似没有跟踪价值。
********************************
发现在64位Win7下直接用com打开新链接,而不借助explorer,仍然有滞留的explorer进程。后来发现这个explorer是有参数的,“/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding”,它是由某个svchost.exe创建的。也就是说即便是借助explorer完成这一任务,所滞留的explorer进程也不是所借助的那个进程 。
既然如此,也没有必要再追寻下去了……
|
|
|